pascal257 (OP)
|
|
December 02, 2013, 01:26:41 AM |
|
News: If you used your password to login between 06:00 Dec 1 UTC and 20:00 Dec 2 UTC, then your password may have been captured in a man-in-the-middle attack, and you should change your password here and wherever else you used it. If you were only logged in via the "remember me" feature, then you're OK. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Here's what we think happened:
8-14 hours ago, an attacker used a flaw in the forum's AnonymousSpeech registrar to change the forum's DNS to point to 108.162.197.161 (exact details unknown). Sirius noticed this 8 hours ago and immediately transferred bitcointalk.org to a different registrar. However, such changes take about 24 hours to propagate.
Because the HTTPS protocol is pretty terrible, this alone could have allowed the attacker to intercept and modify encrypted forum transmissions, allowing them to see passwords sent during login, authentication cookies, PMs, etc. Your password only could have been intercepted if you actually entered it while the forum was affected. I invalidated all security codes, so you're not at risk of having your account stolen if you logged in using the "remember me" feature without actually entering your password.
For the next ~20 hours, you should only log into the forum if you're quite sure that you're talking to the correct server. This can be done by adding '109.201.133.195 bitcointalk.org' to your hosts file (remember to remove it later!), or by using some browser plugin to ensure that you're talking to the server with TLS certificate SHA1 fingerprint of: 29:0E:CC:82:2B:3C:CE:0A:73:94:35:A0:26:15:EC:D3:EB:1F:46:6B
Simultaniously, the forum has been the target of a massive DDoS attack. These two events are probably related, though I'm not yet sure why an attacker would do both of these things at once. -----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlKb2nkACgkQxlVWk9q1kefhTwD+Ni5k7CUrHjvzG29wO3Gx4Am+ MV5tdw8zE1AAWvbstt8BAIrndOXCYmawoXN+VeSZkLXHnCyQbR8IOftQnpl2aXYs =465T -----END PGP SIGNATURE-----
I think the end date in the news is wrong, it seems to be in the future. Or is that a precaution regarding DNS propagation?
|
|
|
|
smeagol
Legendary
Offline
Activity: 1008
Merit: 1005
|
|
December 02, 2013, 01:57:09 AM |
|
yes, the date is tomorrow. that is interesting
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5334
Merit: 13305
|
|
December 02, 2013, 02:12:09 AM |
|
it seems to be in the future. Or is that a precaution regarding DNS propagation?
Right.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
anti-scam
Sr. Member
Offline
Activity: 476
Merit: 251
COINECT
|
|
December 02, 2013, 04:51:29 AM |
|
Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.
|
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5334
Merit: 13305
|
|
December 02, 2013, 04:53:14 AM |
|
Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.
There was only one report of that, and I think that he was probably thinking of Java Script. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
anti-scam
Sr. Member
Offline
Activity: 476
Merit: 251
COINECT
|
|
December 02, 2013, 05:07:43 AM |
|
Was this attack only a MitM to steal passwords or was malicious content served? I've read reports of suspicious Java applets.
There was only one report of that, and I think that he was probably thinking of Java Script. CloudFlare has an error page that asks you to enable JS so it can more accurately fingerprint you. Well I had a random browser crash after being served an odd page when accessing the site (though I don't have Java or JS enabled) but it must have been a coincidence.
|
|
|
|
extortion
|
|
December 02, 2013, 05:21:43 AM |
|
Was the Hacker Named Robert DROP TABLES?
|
Extortion. We are Anonymous. We are legion. We do not forgive. We Do Not Forget. Expect Us.
|
|
|
justusranvier
Legendary
Offline
Activity: 1400
Merit: 1013
|
|
December 02, 2013, 05:23:23 AM |
|
|
|
|
|
maurya78
|
|
December 02, 2013, 09:54:26 AM |
|
you are right, hadn't noticed that the end date is in the future
Very interesting
|
|
|
|
Sindelar1938
|
|
December 02, 2013, 10:28:12 AM |
|
I just changed my password and other settings Anything else that I need to do to be safe? Thanks for any input
|
|
|
|
wachtwoord
Legendary
Offline
Activity: 2338
Merit: 1136
|
|
December 02, 2013, 11:51:01 AM |
|
I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
|
|
|
|
Kluge
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
December 02, 2013, 11:54:59 AM |
|
I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b
|
|
|
|
jarhed
|
|
December 02, 2013, 12:06:04 PM |
|
Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b
All letters in my SHA1 fingerprint are full Caps. 29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3 EB 1F 46 6B
|
|
|
|
wachtwoord
Legendary
Offline
Activity: 2338
Merit: 1136
|
|
December 02, 2013, 12:12:02 PM |
|
I logged on just now via the ip 109.201.133.195 then everything should be peachy right?
Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b Thanks, it checks out
|
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
December 02, 2013, 12:21:09 PM |
|
All letters in my SHA1 fingerprint are full Caps.
Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless).
|
|
|
|
jarhed
|
|
December 02, 2013, 12:38:46 PM |
|
All letters in my SHA1 fingerprint are full Caps.
Caps is not relevant for the hash value when it's displayed as hex (i.e. it can be shown using either upper or lower case letters but is still the same hash value regardless). Thanx.
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
December 03, 2013, 12:09:20 AM |
|
Yeah. You can double-check the SSL certificate if you want. SHA1 fingerprint should be 29 0e cc 82 2b 3c ce 0a 73 94 35 a0 26 15 ec d3 eb 1f 46 6b
All letters in my SHA1 fingerprint are full Caps. 29 0E CC 82 2B 3C CE 0A 73 94 35 A0 26 15 EC D3 EB 1F 46 6B Let's pretend for a sec that I don't have a clue as to where to look for the above. Remember, we're only pretending, but any help would be appreciated by those who don't know how to pretend. ~TMI BTCITW
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
December 03, 2013, 12:10:31 AM |
|
Click on the padlock, then try to find it
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
wachtwoord
Legendary
Offline
Activity: 2338
Merit: 1136
|
|
December 03, 2013, 12:16:40 AM |
|
Click on the padlock, then try to find it
The little lock in the address bar indicating it uses https (SSL)
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1257
May Bitcoin be touched by his Noodly Appendage
|
|
December 03, 2013, 12:18:27 AM |
|
Click on the padlock, then try to find it
The little lock in the address bar indicating it uses https (SSL) Yeah sorry I should have clarified that
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
|
|
|
|